Dnia Piątek, 27 Marca 2015 14:24 Al Lewis (allewi) <allewi at ...589...> napisał(a)
> That looks to be an Emerging Threat rule so you probably would want to contact them about that. There isnt a "content-list" rule option. The rule options are listed here: http://manual.snort.org/node32.html>> As for the block page are you listing the page with the "config react: <block.html>" in your config file? The steps are listed here http://manual.snort.org/node26.html under the "react" section.
>> Note that the block|warn options under react are deprecated so you may want to try removing the 'block' from the react option.
>>> This is taken from the manual:
>> This is an example rule:
>>> drop tcp any any -> any $HTTP_PORTS ( \
> content: "d"; msg:"Unauthorized Access Prohibited!"; \
> react: <react_opts>; sid:4;)
>> <react_opts> ::= [msg] [, <dep_opts>]
>>> These options are deprecated:
>>> <dep_opts> ::= [block|warn], [proxy <port#>]
>>>> Hope this helps.
>
Well, this sample isn't clear for me.
in rule I have now:
... rev:2; react: <react_opts>; )
in snort.conf I've set:
config react: </opt/etc/snort/block.html>
and during starting there is error:
snort[23748]: FATAL ERROR: react: /opt/etc/snort/rules_tmp/emerging-current_events.rules(5347) can't stat react page file '</opt/etc/snort/block.html>'.
Also I don't know where exactly to set:
<react_opts> ::= [msg]
in snort.conf ? in rule ?
I regret there isn't on internet any samples, tutorials of above. Do only I use information page about blocking in IPS ? ;)